Software License Audit Q&A

I hope you joined our recent webinar on how to respond to a software license audit, Auditors at the Door- Open Up or Run and Hide? We outlined best practices for how to respond to a software vendor audit. If you missed it, you can watch the full recording and edited highlights here. We took questions from our webinar attendees and compiled them in this blog for your reference.

Q: We’ve already received a software license audit letter, is it too late to get help?

A: No it’s not. In fact, the majority of our recent engagements have started when a 1E customer has already begun the process of responding to the vendor

Our preference is to be there right at the start, because we can guide you by making sure there is an executive sponsor, and ensuring the team is made aware of the audit and instructed not to talk to the vendor for any reason – because that vendor is going to fish for information.

But we can be called in at any time. Recently, we were called in after the company actually delivered the software license audit report back to the vendor! That’s a little bit more of an uphill climb for us, because we then need to race and assess what was actually reviewed, and reported to the vendor, but through our expertise we could have brought that information to the company and helped them to extract a better resolution from the vendor.

Q: My understanding is that vendors are not supportive of the ISO standard. Is this true?

A: No. Vendors are very supportive of it. Thinking vendors are not supportive – it’s sort of basing that on years past. But as the standard has matured, we have the process standard, we have a software identification tag, as well as entitlement schemas, and these are heavily dependent on having the support of software vendors. In the -2 and -3 of ISO standards, you have large vendors like Microsoft, IBM, HP, Adobe, Symantec, and others who are looking to support that standard not just simply by attending the meeting but by putting resources behind it.

Q: What exactly is the ISO process implementation and certification?

A: The ISO standard creates goalposts for what an organization needs to do to effectively manage its software assets.

One of the things that it talks about is the software lifecycle: how you go about acquiring software, and then how you effectively manage that right through retirement. The ISO standard, when you put those processes in, actually gets you far closer to ongoing compliance, not just to the ISO standard, but closer to the agreement that you have in place with your software vendors.

Organizations that are employing the ISO SAM standard have robust policies to effectively manage their software assets. And through doing that, they have a propensity not to have as much or any unlicensed software.

1E can come in and certify the successful implementation of those policies. When you actually hold up that certification to the vendor, you’re serving notice that you’ve implemented these policies, and the pickings – if they come knocking on your door – are going to be very slim.

Q: Who do you recommend being the single point of contact within the organization for responding to the vendor during an audit?

A: That’s always a difficult question because it’s going to vary based on the size of the organization. But my recommendation is that the executive sponsor is the person who’s actually going to negotiate the resolution with the software vendor.

In most cases, this tends to be the CIO or CFO, those folks may not actually understand the data collection process that was utilized. The goal of the audit team is to articulate how that audit was actually done, the things that are effective in terms of limiting exposure back to the vendor, articulating the anomalies or inaccuracies in a vendor’s audit report, and educating the CFO so that they can successfully negotiate the final resolution.

Q: Is there any difference between a vendor SAM review, and a license compliance audit?

A: There are very, very few differences between those two. Some vendors interchange the words. Theoretically, SAM should be a sort of self-audit, when they may be contacting you, asking you to voluntarily share your installation data, and the license compliance audit – sometimes the difference is that they may actually send their own people, whether it’s their own direct staff or an audit firm, to complete the audit. But at the end of the day, they are looking to make sure you’ve paid for all the software you’re using.

Q: What about unused software. How might you consider that during a preparation for an audit?

A: 1E has an exceptional report on unused software, based on data collected over 4 years and from 3.6M desktops. We found that on average 37% of all software is unused or rarely used. Knowing what you have not used within your environment allows you to pull that software off your work stations and keep on the shelf, which is going to minimize findings based on the vendor audit report. Then, if you need that software you don’t have to go out and buy it. You have a copy on the shelf you can deploy. That’s all effectively managed via AppClarity and Shopping, 1E’s Enterprise App Store.